Login

Cisco Multicloud Defense User Guide

Multicloud Defense User Guide
- About Multicloud Defense
  - About Multicloud Defense
    - Multicloud Defense Naming Conventions
    - Supported Regions
    - Recommended Versions of Multicloud Defense Components
      - Third Party Product Support and Versioning
    - Multicloud Defense in Cisco Security Cloud Control
  - Multicloud Defense Components
  - Multicloud Defense Controller Dashboard
    - My Profile Information
  - Multicloud Defense 90-Day Free Trial
Setup with the Multicloud Defense Wizard
- Setup with the Multicloud Defense Wizard
  - Connect Cloud Account
    - Connect An AWS Account
    - Connect Azure Account
    - Connect Google Cloud Platform Account
    - Connect to an OCI Account
      - Prepare Your OCI Account
      - Connect Oracle Account
  - Enable Traffic Visibility
    - Enable Traffic for an AWS Account
    - Enable Traffic for an Azure Account
    - Enable Traffic for a GCP Project
  - Secure Your Account
    - Centralized Model: Add a VPC or VNet
    - Distributed Model
      - Azure Distributed Model: Create a Gateway
Account Onboarding
- AWS
  - AWS Overview
  - Connect AWS Account to Multicloud Defense Controller from the Multicloud Defense Dashboard
    - CloudFormation Outputs
    - Roles Created by Multicloud Defense
      - MCDControllerRole
      - MCDGatewayRole
      - MCDInventoryRole
      - InventoryMonitorRule
- Azure
  - Prepare Your Azure Account
    - Register Application in Microsoft Entra ID
    - Create a custom role to assign to the Application
    - Connect an Azure Subscription to the Multicloud Defense Controller from the Multicloud Defense Dashboard
    - Accept Marketplace Terms
  - Connect an Azure Subscription to the Multicloud Defense Controller from the Multicloud Defense Dashboard
    - VNet Route Tables for your Azure Subscription
    - Roles Created by Multicloud Defense
      - Azure IAM Roles
  - Post-Onboarding Procedures
    - Azure VNet Setup
      - Subnets
      - Security Groups
      - Launch ARM Template
- GCP
  - GCP Overview
    - Overview of Creating a GCP Controller Service Account
    - Create a GCP Firewall Service Account
  - Connect a GCP Project to the Multicloud Defense Controller from the Multicloud Defense Dashboard
    - Roles Created by Multicloud Defense
      - GCP IAM Roles
- OCI
  - Prepare Your OCI Account
  - Connect the Oracle OCI Tenant to the Multicloud Defense Controller from the Multicloud Defense Dashboard
- Remove a Cloud Service Provider From Multicloud Defense
  - Delete a GCP Project From Multicloud Defense
  - Delete an AWS Account From Multicloud Defense
  - Delete an Azure Account From Multicloud Defense
  - Delete an OCI Account From Multicloud Defense
Secure Your AI Assets with AI Defense
- AI Defense
  - AI Defense Integration with Multicloud Defense
Discovery
- Asset and Inventory Discovery
  - Discovery Summary
  - Inventory
    - Applications
    - Discovered Assets
    - Enable Asset Discovery and Inventory
  - Security Insights
    - Types of Security Insights
      - Security Groups
      - Application Security Groups
      - Network ACL
      - Subnets
      - Route Tables
      - Network Interfaces
      - VPCs\VNets
      - Applications
      - Load Balancers
      - Instances
      - Tags
      - Certificates
      - Topology
      - Insights
  - Rules and Findings
    - Rules and Findings
    - Pre-Defined Rules
    - Custom Rules
    - Findings
Multicloud Defense Gateway
- The Multicloud Defense Gateway and Service VPCs or VNets
  - Supported Gateway Use Cases
    - Secure Firewall Threat Defense Virtual
    - Multicloud Defense Egress Gateways
    - Multicloud Defense Ingress Gateways
    - Multicloud Defense East-West Gateways
    - Multicloud Defense Distributed Gateways
    - Gateways Deployed in Centralized / Hub Mode
    - Advanced Gateway Configuration: Use Your Own Load Balancer
  - Configure Service VPCs and Service VNets
    - Create a Service VPC or VNet
    - Secure Spoke VPC or VNet
      - Manage the Service VPC/VNet
      - Export a Spoke VPC or VNet
      - Delete a Spoke VPC or Vnet
  - Configure Your Gateway
    - Before You Begin
      - Resources Created by Multicloud Defense
    - Add a Multicloud Defense Gateway
    - Create an FTDv Gateway
    - Edit a Multicloud Defense Gateway
    - Upgrade the Multicloud Defense Gateway
    - Upgrade Your Threat Defense Virtual Device
    - Abort a Multicloud Defense Gateway
    - Enable a Multicloud Defense Gateway
    - Disable a Multicloud Defense Gateway
    - Export a Multicloud Defense Gateway
    - Delete a Multicloud Defense Gateway
    - Protect Multiple Servers with Ingress Gateways
- Site-to-Site VPN Tunnel Connection
  - Prerequisites and Limitations for Site-to-Site VPN Tunnels
  - Enable VPN Within the Gateway
  - Create a Site-to-Site VPN Connection
  - Edit a Site-to-Site VPN Tunnel
  - Clone a Site-2-Site VPN Tunnel Connection
  - Delete a VPN Tunnel Connection
- Bring Your Own VPC into Multicloud Defense
  - Bring Your Own VPC
  - Guidelines to Configure Bring Your Own VPC
  - Bring Your Own VPC Into Multicloud Defense
  - Deploy the Multicloud Defense Gateway
  - Protect Egress Forwarding Proxy for Subnets
  - Troubleshooting For Bring Your Own VPC
- Configure a Virtual Network Connection for Azure Virtual WAN
  - Overview of Virtual WAN
  - Guidelines for Virtual WAN Connections to Azure vHub
  - Create Service VPC with Virtual WAN Attachment
  - Modify Service VPC with Virtual WAN Attachment
Security Policies
- Policy Objects
  - Objects Overview
  - How to Tag Object Resources
  - Add a Tagged Object to a Policy
  - Address Objects
    - Address Objects
      - Src/Dest
        
        Dynamic Cloud Constructs
        
        Geo IP
        
        Group
        
        Source or Destination Address Object Parameters
      - Reverse Proxy Target Address Object
        
        Reverse Proxy Target Address Object Parameters
      - System Objects
    - Create a Source/Destination Address Object
    - Create a Reverse Proxy Target Address Object
    - Edit Address Objects
    - Clone Address Objects
    - Delete Address Object
    - View Details
  - FQDN Objects
    - FQDN Match Object
      - Standalone vs. Group
      - Create Standalone FQDN Match Object
      - Create Group FQDN Match Object
      - Associate the Object
      - Block an FQDN Match Object
  - Service Objects
    - Reverse Proxy Service Object (Ingress)
    - Forward Proxy Service Object (Egress / East-West)
    - Forwarding Service Object (Egress / East-West)
- Rules and Rule Sets
  - Policy Management
    - Policy Rule Set Gateway and Management
  - Rules
  - Rule Sets and Rule Set Groups
    - Create Policy Rule Set
    - Create a Rule in a Rule Set
      - Add or Edit a Forwarding Rule in a Rule Set
      - Add or Edit a Reverse Proxy Rule in a Rule Set
      - Add or Edit a Forward Proxy Rule in a Rule Set
      - Disable, Edit, Clone, or Delete Rules in a Rule Set
    - Create a Policy Rule Set Group
- Objects
  - About the Multicloud Defense Connector
  - Import Objects From Security Cloud Control
- Address Objects
  - Address Objects
    - Src/Dest
      - Dynamic Cloud Constructs
      - Geo IP
      - Group
      - Source or Destination Address Object Parameters
    - Reverse Proxy Target Address Object
      - Reverse Proxy Target Address Object Parameters
    - System Objects
  - Create a Source/Destination Address Object
  - Create a Reverse Proxy Target Address Object
  - Edit Address Objects
  - Clone Address Objects
  - Delete Address Object
  - View Details
- FQDN Objects
  - FQDN Match Object
    - Standalone vs. Group
    - Create Standalone FQDN Match Object
    - Create Group FQDN Match Object
    - Associate the Object
    - Block an FQDN Match Object
- Service Objects
  - Reverse Proxy Service Object (Ingress)
  - Forward Proxy Service Object (Egress / East-West)
  - Forwarding Service Object (Egress / East-West)
- Certificates and Keys
  - Certificates and Keys
    - Import Certificate
    - AWS - KMS
    - AWS - Secrets Manager
    - Azure Key Vault
    - GCP - Secret Manager
  - Server Certificate Validation
    - Server Certificate Validation in the TLS Decryption Profile
    - Server Certificate Validation in the FQDN Service Object
    - Certificate for Custom Root CA
- Certificate and Keys Tech Notes
  - Generate a Self-Signed Root CA
  - Generate a Certificate Signed by your Self-Signed Root CA
  - Generate an Intermediate CA Signed by Your Root CA
  - App Certificate signed using the Intermediate CA
  - Install Root CA as Trusted CA on the Hosts
Traffic Discovery and Visiblilty
- Types of Traffic
  - Enable DNS Logs
    - AWS: Enable DNS Logs
    - GCP: Enable DNS Logs
    - Azure: DNS Logs
  - Enable VPC Flow Logs
    - AWS: Enable VPC Flow Logs
    - GCP: Enable VPC Flow Logs
    - Azure: Enable NSG Flow Logs
Profiles for Security and Gateway
- Security Profiles
  - Decryption Profile
    - Create a Decryption Profile
  - Network Intrusion (IDS/IPS) Profile
    - Create an IPS/IDS Profile
  - Data Loss Prevention (DLP) Profile
    - Create a Data Loss Prevention Profile
  - Anti-Malware Profile
    - Create an Anti-Malware Profile
  - Web Application Firewall (WAF) Profile
    - Create WAF Profile
      - Event Filtering
  - Layer 7 DOS
    - Create L7 DoS Profile
  - URL (Uniform Resource Locator) Filter Profile
    - Create the URL Filtering Profile
  - Fully Qualified Domain Name Filter Profile
    - Create a Standalone FQDN Filter Profile
    - Create a Group FQDN Filter Profile
  - Malicious IP Profile
    - Create a Malicious IP Profile
    - IP Reputation
  - (Preview Only) Identity Profile
    - Create an Identity Profile
  - (Preview Only) User Profile
    - Create a User Profile
  - AI Guardrails Profile
    - Create an AI Guardrails Profile
- Gateway Profiles
  - Packet Capture Profile
    - Create a Packet Capture Profile
  - Log Forwarding Profile
    - Create a Standalone Log Forwarding Profile
    - Create a Log Forwarding Group
  - Gateway Metrics Forwarding Profile
    - Create a Standalone Metrics Forwarding Profile
    - Create a Group Metrics Forwarding Profile
  - (Preview Only) Network Packet Broker Profile
    - Create Network Packet Broker Profile
  - Network Time Protocol Profile
    - Create a Profile
  - IPSec Profile
    - Create an IPSec Profile
  - BGP Profile
    - Create a BGP Profile
- Profile Actions
  - View a Profile Details
  - Edit a Standalone Metrics Forwarding Profile
  - Edit a Group Profile
  - Add a Gateway Association to a Profile
  - Remove a Gateway Association
  - Delete a Profile
- FQDN and URL Filtering Categories
  - FQDN / URL Filtering Categories
  - Malicious Categories
  - Full List of Categories
  - Associating a Filtering Profile with a Policy Ruleset Rule
  - Cisco Talos Intelligence URL / IP Lookup Tool
Investigate and Analysis
- Flow Analytics
  - Flow Analytics - Traffic Summary
  - Flow Analytics - All Events
    - Event Logs
  - Firewall Events
  - Network Threats
  - Web Attacks
  - URL Filtering
  - FQDN Filtering
  - HTTPS Logs
  - VPN Logs
  - EndUser Logs
  - HTTP2 Logs
  - AI Guardrails Logs
- Network Analytics
  - Stats
    - Total Bandwidth
    - CPU Usage
    - Memory Usage
    - Connection Rate
    - HTTP Request Rate
- System Status
  - Audit Logs
    - Search Filter
  - System Logs
    - Search Filter
Threat Research
- Threat Research
  - Network Intrusion
  - Web Protection
  - Malicious Sources
Cloud Visibility Reports
- Cloud Visibility Reports
  - Generate a Discovery Report
  - Generate a Threat And Cloud Analytics Report
Alerting and Log Forwarding
- Alerting Overview
  - Alert Services Overview
- Alert Destinations / SIEMs
  - Datadog
    - Create an Alert Profile Service
    - Create an Alert Rule
  - Microsoft Sentinel
    - Create an Alert Profile Service
    - Create an Alert Rule
  - PagerDuty
    - Create an Alert Profile Service
    - Create an Alert Rule
  - ServiceNow
    - Create an Alert Rule
    - Create an Alert Profile Service
  - Slack
    - Create a Slack Alert Rule
    - Create an Alert Profile Service
  - Microsoft Teams
    - Create a Microsoft Teams Alert Profile Service
    - Create a Microsoft Teams Service Rule
  - Webex
    - Create an Alert Profile Service
    - Create an Alert Rule
  - Splunk
    - Create a Splunk Profile Service
    - Create a Splunk Rule
- Log Forwarding Overview
  - Security Events and Traffic Logs
    - Create a Standalone Event or Traffic Log Profile
    - Edit a Standalone Event or Traffic Log Profile
    - Create a Group Event or Traffic Log Profile
    - Edit a Group Event or Traffic Log Profile
    - View an Event or Traffic Log Forwarding Profile
    - Delete an Event or Traffic Log Profile
  - Discovery Logs
    - Create a Standalone Discovery Log Profile
    - Edit a Standalone Discovery Log Profile
    - Create a Group Discovery Log Profile
    - Edit a Group Discovery Log Profile
    - View a Discovery Log Profile Details
    - Add a Discovery Log Profile with a Cloud Account
    - Remove a Discovery Log Profile from a Cloud Account
    - Delete a Discovery Log Profile
  - Gateway Metrics Forwarding Profile
    - Create a Standalone Metrics Forwarding Profile
    - Edit a Standalone Metrics Forwarding Profile
    - Create a Group Metrics Forwarding Profile
    - Edit a Group Profile
    - Delete a Metrics Forwarding Profile
  - Add an Event, Traffic Log Forwarding Profile, or Metrics Forward Profile to a Gateway
  - Remove an Event, Traffic Log Forwarding Profile, or Metrics Forward Profile from a Gateway
- Log Forwarding Destinations / SIEMs
  - AWS S3 Bucket
  - Datadog
  - GCP Logging
  - Microsoft Sentinel
  - Splunk
  - Sumo Logic
  - Syslogs
  - Webhook
Administration
- Management
  - Management
    - API Keys
      - Create an API Key in Multicloud Defense
      - Delete an API Key from Multicloud Defense
    - Account Level Settings
      - Application Tags
        
        Create an Application Tag
        
        Edit an Application Tag
        
        Delete an Application Tag
      - Custom Tags
        
        Create a Custom Tag
        
        Edit a Custom Tag
        
        Delete a Custom Tag
    - System
    - Metering
  - Alert Profiles
    - Services
      - Create a Service
      - Edit a Service
      - Clone a Service
      - Export a Service
      - Delete a Service
    - Alerts
      - Create an Alert
      - Edit an Alert
      - Clone an Alert
      - Export an Alert
      - Delete an Alert
Manage Your Multicloud Defense Account
- Manage Your Multicloud Defense Account
  - Account (Multicloud Defense Tenant)
  - User Roles in Security Cloud Control
    - Roles in Multicloud Defense
- Cloud Accounts
  - Cloud Accounts
    - Add Account
    - Manage Inventory
    - Edit a Cloud Account
    - Update Log Profile for a Cloud Account
    - Export a Cloud Account
    - Delete a Cloud Account
  - Inventory
Certificates and Awards
Troubleshoot Your Account
- Troubleshoot Connecting Your Account
  - Manually Onboard an Account
    - Manually Onboard a GCP Project
      - GCP Overview
      - Service Accounts
        
        Create Multicloud Defense Controller Service Account Using GCP Cloud Console
        
        Create a Multicloud Defense Firewall Service Account Using the GCP Cloud Console
      - Enable API
        
        Enable API-Using the GCP Cloud Console
      - VPC Setup
        
        VPC and Subnets
        
        Sample VPC and Subnets using CLI
        
        Network Tags (for GCP Gateways)
      - Gateway Creation
    - Manually Onboard an Azure Subscription
      - (Optional) User-assigned Managed Identity for Key Vault and Blob Storage access
      - Register Application in Microsoft Entra ID
      - Create a custom role to assign to the Application
        
        Required Values For Multicloud Defense Controller Onboarding
      - Accept Marketplace Terms
  - Graceful Termination of Connections
  - Terraform Onboarding Scripts for Cloud Accounts
    - About Terraform
    - Terraform Repository
    - Exporting Configuration as Terraform Block

Software Multicloud Defense

Activity Onboard

Alerting and Log Forwarding Alert Destinations / SIEMs ServiceNow Create an Alert Rule

Last updated: Jul 03, 2025

Create an Alert Rule

Before you begin

In order to complete the steps in this guide, you will need:

A ServiceNow account with an Incoming Webhook URL.
An API Key configured.

Sign up for a ServiceNow account ( https://www.servicenow.com/my-account/sign-up.html)
Setup Webhook and API Key ( https://docs.servicenow.com/search?q=setup_webhook)

Procedure

1	In the Security Cloud Control platform menu, choose Products > Multicloud Defense .
2	Navigate to System and Accounts > Service Alerts > Alert Rules.
3	Click Create.
4	Profile Name - Enter unique name for the integration. Example `mcd-servicenow-alert-rule`.
5	(Optional)Description - Enter a description for the aler trule.
6	Alert Profile - Expand the drop-down menu and select a Microsoft Teams alert profile.
7	Type - Expand the drop-down menu and select one of the following types: System Logs Audit Logs Discovery If you select Audit Logs, there are no other configurable items. Click Save to finalize the rule.
8	If you select either System Logs or Discovery as your Type, then expand the Sub Type drp-down menu and select one of the following options: Gateway Account Controller
9	Expand the Severitydrop-down menu and select one of the following labels. Note that the options below are dependent on the Type you selected in step 7. Info Warning Medium High Critical
10	Enabled - This option is checked by default to enable and implement this alert immediately after saving. Unceck this box if you do not to immediately apply the rule to your environment.
11	Click Save.

Previous topic ServiceNow Next topic Create an Alert Profile Service